question

kurre_burre avatar image
kurre_burre asked

Problem with permission for ad groups containing users from trusted domain

Hi all I have a problem with permissions in MSSQL2008r2. This is our setup. * We have a main domain, Prod, for our production environment with a AD server containing all our users. * we have a seperate development network with it's own domain and ad controller, Dev. * We have setup a trust between the Dev domain and the Prod domain, so you can login with your "normal user" to the Dev domain * In Dev AD I have created security groups with "Group scoope" "Domain Local" so I can add my users from the Prod domain into the groups on the Dev domain. So far so good. I can log in to the Dev servers with my Prod domain accounts. I can setup Prod users on the SQL server and I can login when they are explicitly added as users to mssql. HOWEVER when I add a Dev AD group containing my Prod users to MSSQL login it fails and I cannot login with the user in that group. So in short I cannot login with trusted users to MSSQL if they are located in a group, only if I add them as users in the login part. Hope anyone can help out here adding the users one by one an granting them permisson in the database is not the way I would like to go Best regards Pär
security
1 comment
10 |1200 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

What's the error message that is returned and/or what is contained within the sql server log?
1 Like 1 ·

1 Answer

· Write an Answer
ThomasRushton avatar image
ThomasRushton answered
OK, without seeing any error message, it sounds to me as though you could be suffering from the Kerberos Double Hop problem, where authentication is handed off in multiple steps. Best bet - read this blog post, and work through it. https://sqlbadboy.wordpress.com/2013/10/11/the-kerberos-double-hop-problem/
1 comment
10 |1200 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Hi thanks for the answer. I'll read the post tomorrow. It's pretty late here in Sweden so... Cheers Pär
0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.